问题
I am working on adding a custom SAML 2.0 identity provider (Okta) to use with my B2C tenant. I have configured it and it works great when I initiate the login from my application. However, when I initiate the login from the identity provider (Okta) it fails to login. The first attempt I received this error from B2C: "does not specify first step or the first step is not a claims exchange". As a result of this error, I removed the extra claims providers from the custom policy so the ClaimsExchange was the first journey step and then I received this error, "Specified method is not supported.".
Is this scenario supported? If so, what changes to the custom policies need to be done to support it?
回答1:
For information about creating a user journey that implements the IdP-initiated SSO, see Identity provider initiated flow.
回答2:
Looking at the documentation it is possible:
- Define a SAML technical profile in an Azure Active Directory B2C custom policy
There is metadata that you will have to specify:
- IdpInitiatedProfileEnabled:
Indicates whether a single sign-on session profile is enabled that was initiated by a SAML identity provider profile. Possible values:
trueorfalse. The default isfalse. In the flow initiated by the identity provider, the user is authenticated externally and an unsolicited response is sent to Azure AD B2C, which then consumes the token, executes orchestration steps, and then sends a response to the relying party application.
来源:https://stackoverflow.com/questions/54079978/is-idp-initiated-sso-supported-with-a-custom-saml-idp-in-azure-ad-b2c